RFID Inside

The murky ethics of implanted chips

Wanted: Power-systems engineer with experience in high-power (5–100-kW) motor-­controller design. Must be U.S. citizen and have valid ISO1443-compatible access-control RFID implant.

Sound farfetched? Today, yes. A decade from now, maybe not.

With the proliferation of radio-frequency identification technology and the recent, but increasing, use of implantable RFID chips in humans, we may already be on a path that would make such an ad commonplace in a 2017 issue of IEEE Spectrum.

The benefits would be undeniable—an implantable RFID chip, which is durable and about the size of a grain of rice, can hold or link to information about the identity, physiological characteristics, health, nationality, and security clearances of the person it’s embedded in. The proximity of your hand could start your car or unlock your front door or let an emergency room physician know you are a diabetic even if you are unconscious. Once implanted, the chip and the information it contains are always with you—you’d never lose your keys again.

But there is a darker side, namely the erosion of our privacy and our right to bodily integrity. After all, do you really want to be required to have a foreign object implanted in your arm just to get or keep a job? And once you have it, do you really want your employer to know whenever you leave the office? And do you want every RFID reader–equipped supermarket checkout counter to note your presence and your purchases?

Until a couple of years ago, chipping humans was largely the domain of cybernetics provocateurs like Kevin Warwick or hobbyists like Amal Graafstra [see Graafstra’s accompanying article, ”Hands On”]. Then, in 2004, the U.S. Food and Drug Administration, which regulates medical devices in the United States, approved an RFID tag for implantation in humans as a means of accessing a person’s health records.

This tag, called VeriChip, is a short-range transponder that relies on the signal from a reader unit for its power supply [see photo, ” Anatomy of an RFID Tag”]. When exposed to a varying magnetic field from the reader, the chip powers itself up and repeatedly transmits a 16-digit code that is unique to the tag. According to the company, 2000 people have already had tags implanted.

The VeriChip tag is part of a health information system called VeriMed. The code contained in the implanted chip points to a record in a database identifying the patient and containing that patient’s health records. By scanning a person’s chip, caregivers can retrieve an identification code that enables them to access the medical history of people who cannot otherwise communicate their identities—speeding up their treatment and possibly saving their lives.

VeriChip Corp., a subsidiary of Applied Digital Solutions, headquartered in Delray, Fla., is also promoting its device as a security measure. It has six clients around the world, five of which use the implant as a secondary source of authentication, says Keith Bolton, vice president of government and inter­national affairs for VeriChip. The highest-profile example of this application came in 2004 when the attorney general of Mexico and 18 of his staff had chips implanted to allow them to gain access to certain high-security areas.

The tag is also finding use as a kind of implanted credit card. In trendy nightclubs in the Netherlands, Scotland, Spain, and the United States, patrons can get ”chipped”—at a cost of about US $165 in one establishment. In future visits, ”by the time you walk through the door to the bar,” one proprietor told Britain’s Daily Telegraph, ”your favorite drink is waiting for you, and the bar staff can greet you by name.”

And the list of proposed applications could grow quickly. VeriChip is advancing a scheme to ”chip” soldiers, as a replacement for a soldier’s traditional dog tag, and a VeriChip officer has proposed chipping guest workers entering the United States.

Before too many of those suggestions become realities, we need to examine carefully the very real dangers that RFID implants could pose to our privacy and our freedom. If we don’t figure out the risks and come up with ways to mitigate them, someone answering that ad for a power engineer may live in a world with considerably less privacy and feel compelled to have an implant just to be able to get a job.

The VeriChip tag’s main use, as a means of identifying patients who might be unable to communicate with caregivers and of accessing their medical records, could clearly be lifesaving in emergency situations. As long as the patient has provided informed consent and the privacy of the patient’s medical records is adequately protected, there are few ethical concerns with the technology. But VeriChip Corp.’s well-meaning attempt to improve personal health care may serve as a beachhead for wider use, and that expansion could create urgent ethical issues, particularly if an element of coercion enters into the process.

Consider, for example, a proposal by Scott Silverman, CEO of VeriChip. In an interview on 16 May 2006 on Fox News Channel (a U.S. television network), he proposed implanting chips in immigrants and guest workers to assist the government in later identifying them. Shortly afterward, the Associated Press quoted President Álvaro Uribe of Colombia as telling a U.S. senator that he would agree to require Colombian citizens to be implanted with RFID chips before they could gain entry into the United States for seasonal work.

Guest workers might ostensibly consent to having chips implanted. But would chipping them be truly voluntary? Such ”voluntary” actions may determine a person’s ability to earn a living, and the worker might not view the implantation as something he or she could refuse. What person facing poverty at home and given the prospect of a job in a different country would be in a position to argue?

At a practical level, when chips are implanted in guest laborers, who pays for the cost of purchasing, implanting, and monitoring the chips in hundreds or thousands of poor migrants? If someone has an adverse reaction to the chip so that it has to be removed or replaced, who bears that cost? And who pays if the chips become obsolete or compromised by rampant cloning—the illicit duplication of the supposedly unique device—and have to be replaced? Affluent patrons of a trendy club might gladly pay to be chipped, but the situation would certainly be different for those pursuing temporary minimum-wage jobs in a foreign country.

Silverman made his proposal, that immigrants and guest workers be implanted with RFID chips, amid a national debate in the United States about illegal immigration, focusing on impoverished Latin Americans in search of work. But might Silverman’s proposition apply as well to electrical engineers or doctors, or other high-status individuals coming into the country for work? Who decides?

Mandating guest workers to have RFID chips implanted in their bodies for identification purposes strikes us as coercive and opportunistic. That approach makes the RFID chip a branding device similar to what a cowboy uses when he sears the haunches of his cattle or the tattoos that the Nazis forced on their victims in concentration camps. It goes against the widely held belief in basic human rights and might even be interpreted as a violation of Article 3 of the United Nations’ Universal Declaration of Human Rights, which affirms everybody’s right to ”life, liberty, and security of person.”

Social researchers are just beginning to study people’s attitudes to implanted RFID. Christine Perakslis and Robert Wolk at Bridgewater State University, in Massachusetts, questioned 141 college students on their feelings about implanted RFID. Respondents were asked if they would be willing to have an implant to prevent ID theft, to combat terrorism, for other national security reasons, as a life-saving device, or to ensure the safety of themselves and their families. About a third of the respondents were willing to be implanted, while less than half of them were not. Wolk and Perakslis’s subjects were the least comfortable with chipping as a cure for ID theft. The reasons that garnered the most support for getting chipped were to save their lives or to ensure the safety of their family.

”If they are putting something inside of you,” one respondent replied, ”it’s like you’re changing yourself. It's not right"

Another small survey in 2003 by Starr Roxanne Hiltz, professor of information systems at the New Jersey Institute of Technology, in Newark, and her colleagues found that 18 out of 23 people questioned objected to the idea of implantable chips as identification.

Some of the resistance has to do with feelings about modification to one’s body. ”If they are putting something inside of you,” one respondent replied, ”it’s like you’re changing yourself. It’s not right.” As the wide variety of acceptable and unacceptable piercings and tattoos found around the world attests, people of different backgrounds vary in their attitudes toward ”changing yourself.”

Tattoos, an ID technology that is at least 4000 years old, share some key qualities with implanted RFID tags. Both could be used for the same ­purposes and are intended to be permanent—they can be removed, but only with some difficulty and not without assistance. The only differences are that, compared with a tattoo, an RFID chip is invisible, may be easier to read surreptitiously, and is a little more difficult to duplicate. Yet we suspect most people, regardless of their feelings toward being chipped, would balk at the idea of accepting a machine-readable tattoo as a means of identification, even if such an indelible marking had some personal or societal benefit.

If there were a societal benefit, could a government require individuals to modify their bodies? For public health purposes, the answer is yes. In the United States, for example, students must have certain immunizations before attending public school. But this example is the only instance we can think of. Could a health care–related implant such as the VeriChip tag become a public health imperative? Would that use lead down a slippery slope toward universal chipping? It seems unlikely.

VeriChip Corp. does not, in fact, advocate universal chipping for medical purposes. The company’s vice president of medical applications, Richard Seelig, estimates a U.S. market for VeriMed of 43 million to 45 million people—less than one-sixth of the population. This group is made up of people who are more likely than others to wind up in the emergency room. These include cancer patients undergoing chemotherapy; people with pace­makers or other medical implants; and those who might be suffering some sort of cognitive impairment or loss of consciousness due to epilepsy, diabetes, or Alzheimer’s disease.

Photo: Oran Barber/Beth Israel Deaconess Medical Center

Test Case

Dr. John Halamka [right] got chipped. He later helped expose a weakness in VeriChip’s security.

We believe that even Seelig’s estimates of the potential size of the market for patient identification are grossly exaggerated. ”For certain subpopulations—Alzheimer’s patients, the mentally ill, people with communication difficulties—having an implanted identifier makes great sense,” says John Halamka, a former emergency physician and now CIO at Beth Israel Deaconess Medical Center, in Boston. ”Others can just carry a card in their wallet, a medic-alert bracelet, or a USB drive with their personal health records. There is no clear medical or business justification for chipping large populations of healthy people.”

In fact, so far there is no clear evidence that the VeriChip will help patients facing medical emergencies. The first study designed to determine whether patients, physicians, and insurers benefit at all from VeriChip began only last fall, in New Jersey.

Other nonimplanted technologies based on RFIDs may soon provide some of the benefits to the patient VeriChip hopes for. For instance, nonprofit health care informatics organization MedicAlert is researching RFID-enabled bracelets that would link to a personal health care record. However, as with VeriChip, a key question is how to ensure the privacy of the information in the databases, while at the same time providing easy access to the database by caregivers in emergency situations.

A right to privacy is at the heart of some of the questions raised by implanted RFID tags. In agreeing to be chipped for medical purposes, the patient gives up a measure of privacy for his or her own potential benefit. But when chipping is used for other reasons, difficult confidentiality issues can arise. When a business gives an identity card to a newly hired worker, for example, the company retains ownership of the card. But will the employer also own the chip inside an employee’s body?

A test case may be on the horizon: the first U.S. company to implant employees with VeriChip, CityWatcher.com, in Cincinnati, recently closed its doors. Its CEO, Sean Darks, himself an implantee, did not return repeated phone calls inquiring whether employees kept their implants after the company folded. VeriChip itself makes no recommendation about whether former employees should be ”dechipped,” says the company’s Bolton. But he says removal is a quick and easy procedure. ”I’ve had many [chips] in and out of my body,” he says.

Perhaps just as important a question as who owns the chip is that of who owns the data on the chip. Can the tag be read and its data used without the consent of the person who has it implanted?

Fears that some individuals have expressed about being tracked through an implanted chip are probably unrealistic. The VeriChip and most other passive RFID devices, those that derive their power from the reader, provide only an identification number and can be probed only from very short distances. The VeriChip is readable only at 10 centimeters or less using its handheld scanner.

This distance can be increased, however, using more efficient antennas. Digital Angel Corp., in St. Paul, Minn., also owned by VeriChip’s parent company, Applied Digital Solutions, is developing a ”walk-through” scanner with greater range. Nevertheless, the prospects of a ”drive-by” theft of a person’s identity seem remote, and even more remote is the possibility that the government or some other organization might track an individual moving about in ordinary life.

Still, if the computer age has one lesson, it is that systems and data are invariably less secure than their proponents claim. Particularly troubling for a device that is being marketed for access control, the VeriChip lacks modern cryptographic and other protections and is prey to simple attacks [see online sidebar, ”How VeriChip Works…and Doesn’t ”]. In a recently published article in the Journal of the American Medical Informatics Association, Beth Israel’s Halamka and colleagues showed how easily a simple-to-build device can scan the chip and replay the radio signal to fool a VeriChip reader [see ”Test Drive”].

This flaw may be insignificant when the chip is being used for identification purposes—for example, with an Alzheimer’s patient. But Halamka and his coauthors argue forcefully that the chip should not be used for authentication purposes to control access to sensitive areas or information.

Though for now they store nothing more than a number, inevitably, implanted RFID chips will store more data and databases will be created that link information on implanted chips to other facts about a person. It is easy to foresee situations in which even a simple identification number might lead to harm—consider the millions of dollars lost to identity theft in the United States because of the disclosure of Social Security numbers and similar data.

So what can we do about implanted RFID’s impending problems? Using legislation to restrict their use is an obvious measure; in fact, laws are already in the works. Faced with widespread public concerns about this technology, more than 10 U.S. states have enacted laws limiting implants. In May 2006, for example, Wisconsin passed a bill that would prohibit requiring anybody to have a microchip implanted.

But laws might be difficult to enforce if implanted chips, like drivers’ licenses, remain voluntary but become de facto requirements for many kinds of employment or services. And the Wisconsin law does nothing to allay worries about the loss of privacy. Governments may need to make the unauthorized reading of an implanted RFID tag illegal as well.

Some of the ethical concerns can be addressed with better technology. Ari Juels, head of RSA Laboratories, the R&D arm of RSA Security, in Bedford, Mass., believes that, with proper encryption methods, a person’s privacy can be preserved without decreasing the usefulness of the implant. Juels says that the ease with which a thief can steal a VeriChip radio signal makes the tag a poor security tool, but that it eliminates a thief’s incentive to kidnap or carve someone up. So together with Halamka and others, he developed a technique that still lets a thief copy the chip’s radio signal but at the same time keeps the actual ID number it represents safe. Lest you think criminals would not go to such extremes, in 2005 BBC News reported that thieves stole a car protected by a fingerprint-reading lock by chopping off the owner’s finger.

Halamka’s solution, by the way, would make it impossible to track an implanted individual by noting which RFID readers—at stores, doors, gas pumps—picked up his or her radio signature. Crucial to Juels’s technology is that the chip’s radio signature changes unpredictably each time it’s read, even though the bits it encodes remain the same.

But maybe the ultimate solution, to allow accurate identification of individuals without some of the ethical issues raised by implanted radio chips, might require a different technology completely—biometric scanners. Although such devices are more costly than RFID-chip readers, they will inevitably become more affordable with time. And the ”tags” are always going to be more ­competitive: after all, we have all already been issued our fingerprints.

About the Author

KENNETH R. FOSTER, an IEEE Fellow, is a professor of bioengineering at the University of Pennsylvania, in Philadelphia, and a former president of the IEEE Society on Social Implications of Technology. JAN JAEGER is a former emergency room nurse who teaches at Penn’s School of Nursing and was a fellow at the university’s Center for Bioethics.

To Probe Further

To get a grasp of how people feel about implanted RFIDs, see ”Social Acceptance of RFID as a Biometric Security Method,” by Christine Perakslis and Robert Wolk, IEEE Technology and Society Magazine, Fall 2006.

Katina Michael, a lecturer at the University of Wollongong, in Australia, has examined the societal implications of RFID implants and related technologies. See http://ro.uow.edu.au/kmichael.

A major technical conference, IEEE RFID 2007, will be held in Grapevine, Texas, from 26 to 28 March.